VPN between 3 zywalls

G

Guest

Guest
Archived from groups: comp.dcom.vpn (More info?)

Hi!

Maybe anyone knows a soultion for the following problem:

I want to establish a VPN between a headquarter and 2 offices (3
different IP subnets). Each location uses a zywall as internet router
and firewall.

First, obviously it's impossible to create 2 VPN rules at the
headquarter, each of them connecting to one office, because the local
subnets of the 2 rules would overlap.

On the other side, when I share one VPN rule at the headquarter for
both clients, using 0.0.0.0 for the client IP adress (and vice versa)
as it's described in the zywall documentation, it's only possible to
initiate the connection from the client side. This doesn't cover my
needs. I need to initiate the connection from both sides!

So, are there any other possibilities to master such a scenario with 3
zywalls?

Any help would be greatly appreciated,
best regards, Gert
 
G

Guest

Guest
Archived from groups: comp.dcom.vpn (More info?)

Gert Wurzer wrote:
> Hi!
>
> Maybe anyone knows a soultion for the following problem:
>
> I want to establish a VPN between a headquarter and 2 offices (3
> different IP subnets). Each location uses a zywall as internet router
> and firewall.
>
> First, obviously it's impossible to create 2 VPN rules at the
> headquarter, each of them connecting to one office, because the local
> subnets of the 2 rules would overlap.
>
> On the other side, when I share one VPN rule at the headquarter for
> both clients, using 0.0.0.0 for the client IP adress (and vice versa)
> as it's described in the zywall documentation, it's only possible to
> initiate the connection from the client side. This doesn't cover my
> needs. I need to initiate the connection from both sides!
>
> So, are there any other possibilities to master such a scenario with 3
> zywalls?
>
> Any help would be greatly appreciated,
> best regards, Gert
>


You can create 1 tunnel to each location with fixed IP's can't you?

Do you want the 2 offices to be able to see each other? If so then you
either need to make a separate tunnel connecting 1 office to the other
or you need to setup your IP subnets in such a way that all traffic for
the other office goes through the central location first.

Also it's not obvious that you cannot create 2 VPN rules to the same
location. In many routers this works. I have setup a VPN where there
were 5 separate and distinct tunnel connections between the same 2
routers. If your router supports multiple subnets over the same tunnel,
it's actually going to create separate security associations for each
subnet pair, but it hides these details from you.

--
WARNING! Email address has been altered for spam resistance.
Please remove the -deletethispart-. section before replying directly.
Mike Drechsler (mike-newsgroup@-deletethispart-.upcraft.com)
 
G

Guest

Guest
Archived from groups: comp.dcom.vpn (More info?)

Hello again!

First of all thanks for your answer!
Yes, I can create a tunnel to the two offices with fixed, single IPs.
It's not necessary that the offices can see each other, but I need to
connect to them not only from a single machine in the headquarter. The
whole subnet should be able to establish connections to both offices.
Thus the local IP adress ranges of the two rules would overlap, and the
zywall says, that this is not allowed!

Thanks in advance for any further hints and best Regards
 
G

Guest

Guest
Archived from groups: comp.dcom.vpn (More info?)

Gert Wurzer wrote:
> Hello again!
>
> First of all thanks for your answer!
> Yes, I can create a tunnel to the two offices with fixed, single IPs.
> It's not necessary that the offices can see each other, but I need to
> connect to them not only from a single machine in the headquarter. The
> whole subnet should be able to establish connections to both offices.
> Thus the local IP adress ranges of the two rules would overlap, and the
> zywall says, that this is not allowed!
>
> Thanks in advance for any further hints and best Regards

If your branches and head office have conflicting network addresses then
the best thing to do is renumber them. It's technically possible to
connect multiple subnets with the same remote LAN addresses if you use
network address translation but this is a last resort solution. Many
networking protocols fail to work under NAT.

You should have a unique address range for every office in your
organization. You should also avoid using the very common private
ranges used in consumer routers to avoid conflicts with employees home
networks if you decide to enable remote access. (Stay far away from
192.168.0.xxx and 192.168.1.xxx) I suggest you use 10.xxx.xxx.xxx for
your internal networks. You can vary the second and third sets of
numbers for each branch or region.

--
WARNING! Email address has been altered for spam resistance.
Please remove the -deletethispart-. section before replying directly.
Mike Drechsler (mike-newsgroup@-deletethispart-.upcraft.com)
 
G

Guest

Guest
Archived from groups: comp.dcom.vpn (More info?)

Hi Mike!

Thanks for your efforts, but i guess we don't talk about the same
problem.

The problem is NOT caused by conflicting office subnets. All locations
have a unique adress range.
Because auf the architecture with a central headquarter and the need to
initiate the connection from the offices as well as from the
headquarter I have to implement 2 VPN rulez at the headquarter. For
both of them the local IP range of course must be the same and exactly
this leads to an error during the vpn configuration of the zywall! It
says that the local adress ranges of multiple active(!) VPN rules must
not overlap.

Best regards, Gert
 
G

Guest

Guest
Archived from groups: comp.dcom.vpn (More info?)

Gert Wurzer wrote:
> Hi Mike!
>
> Thanks for your efforts, but i guess we don't talk about the same
> problem.
>
> The problem is NOT caused by conflicting office subnets. All locations
> have a unique adress range.
> Because auf the architecture with a central headquarter and the need to
> initiate the connection from the offices as well as from the
> headquarter I have to implement 2 VPN rulez at the headquarter. For
> both of them the local IP range of course must be the same and exactly
> this leads to an error during the vpn configuration of the zywall! It
> says that the local adress ranges of multiple active(!) VPN rules must
> not overlap.
>
> Best regards, Gert
>

Sounds like something specific to the implementation of that device.
(Unless I'm not understanding your configuration) I have never used
that specific equipment but in my experience most VPN routers are very
similar conceptually.

--
WARNING! Email address has been altered for spam resistance.
Please remove the -deletethispart-. section before replying directly.
Mike Drechsler (mike-newsgroup@-deletethispart-.upcraft.com)
 
G

Guest

Guest
Archived from groups: comp.dcom.vpn (More info?)

> The problem is NOT caused by conflicting office subnets.
> All locations have a unique adress range.
> Because auf the architecture with a central headquarter
> and the need to initiate the connection from the offices
> as well as from the headquarter I have to implement 2 VPN
> rulez at the headquarter. For both of them the local IP
> range of course must be the same and exactly this leads
> to an error during the vpn configuration of the zywall!
> It says that the local adress ranges of multiple
> active(!) VPN rules must not overlap.

Gert,

We've implemented multiple rules like this using ZyXEL ADSL routers
which have a similar IPSEC implementation to ZyWALLs without any issues
(well, at least not with this issue, anyway).

Ray